Switch back to strict confinement

The following are included in the switch to strict confinement:
* Set snapcraft.yaml confinement to strict and restore/update plugs
* Drop building of python as it's not required for strict snaps
* Patch setgroups from ngnix since it's not covered by a plug
* Switch back to running apps under root
* Build libxml into snap

Change-Id: I3f73f79844728ffc8e12632e14595e1cd7c375cf

README.md

@@ -7,7 +7,7 @@ service, Keystone.
 
 The keystone snap can be installed directly from the snap store:
 
-    sudo snap install --edge --classic keystone
+    sudo snap install --edge keystone
 
 The keystone snap is working towards publication across tracks for
 OpenStack releases. The edge channel for each track will contain the tip
@@ -17,8 +17,8 @@ will be published progressively to beta, then candidate, and then stable once
 CI validation completes for the channel. This should result in an experience
 such as:
 
-    sudo snap install --classic --channel=ocata/stable keystone
+    sudo snap install --channel=ocata/stable keystone
-    sudo snap install --classic --channel=pike/edge keystone
+    sudo snap install --channel=pike/edge keystone
 
 ## Configuring keystone
 
@@ -90,11 +90,6 @@ The services for the keystone snap will log to its $SNAP_COMMON writable area:
 
 ## Managing keystone
 
-The keystone snap will drop privileges to run daemons and commands under
-a regular user named snap-keystone. Additionally, permissions and ownership
-of files and directories in /var/snap/keystone/common/ are modified to
-restrict access from other users.
-
 The keystone snap has alias support that enables use of the well-known
 keystone-manage command. To enable the alias, run the following prior to
 using the command:

patches/drop-nginx-setgroups.patch

@@ -0,0 +1,57 @@
+Description: Drop code where nginx drops privileges for worker
+  processes. While setuid is covered by the browser-support plug,
+  setgroups isn't covered by any plugs. This code isn't required
+  because in strict mode we run worker processes as root:root.
+  The seccomp violation follows:
+  = Seccomp =
+  Time: Jun 16 01:13:15
+  Log: auid=4294967295 uid=0 gid=0 ses=4294967295 pid=6087 comm="nginx"
+       exe="/snap/keystone/x1/usr/sbin/nginx" sig=31 arch=c000003e
+       116(setgroups) compat=0 ip=0x7f40e288af09 code=0x0
+  Syscall: setgroups
+  Suggestion:
+  * adjust program to not use 'setgroups' until per-snap user/groups
+    are supported (https://launchpad.net/bugs/1446748)
+Author: Corey Bryant <corey.bryant@canonical.com>
+Forwarded: no
+
+---
+ src/os/unix/ngx_process_cycle.c | 22 ----------------------
+ 1 file changed, 22 deletions(-)
+
+diff --git a/src/os/unix/ngx_process_cycle.c b/src/os/unix/ngx_process_cycle.c
+index 1710ea8..c428673 100644
+--- a/src/os/unix/ngx_process_cycle.c
++++ b/src/os/unix/ngx_process_cycle.c
+@@ -824,28 +824,6 @@ ngx_worker_process_init(ngx_cycle_t *cycle, ngx_int_t worker)
+         }
+     }
+ 
+-    if (geteuid() == 0) {
+-        if (setgid(ccf->group) == -1) {
+-            ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
+-                          "setgid(%d) failed", ccf->group);
+-            /* fatal */
+-            exit(2);
+-        }
+-
+-        if (initgroups(ccf->username, ccf->group) == -1) {
+-            ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
+-                          "initgroups(%s, %d) failed",
+-                          ccf->username, ccf->group);
+-        }
+-
+-        if (setuid(ccf->user) == -1) {
+-            ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
+-                          "setuid(%d) failed", ccf->user);
+-            /* fatal */
+-            exit(2);
+-        }
+-    }
+-
+     if (worker >= 0) {
+         cpu_affinity = ngx_get_cpu_affinity(worker);
+ 
+-- 
+2.7.4
+

snap/snap-openstack.yaml

@@ -1,16 +1,8 @@
 setup:
-  users:
-    snap-keystone: [snap-keystone]
-  default-owner: "root:snap-keystone"
   dirs:
-    - "{snap_common}/etc"
-    - "{snap_common}/etc/keystone"
     - "{snap_common}/etc/keystone/keystone.conf.d"
-    - "{snap_common}/etc/nginx"
     - "{snap_common}/etc/nginx/sites-enabled"
-    - "{snap_common}/etc/nginx/snap"
     - "{snap_common}/etc/nginx/snap/sites-enabled"
-    - "{snap_common}/etc/uwsgi"
     - "{snap_common}/etc/uwsgi/snap"
     - "{snap_common}/fernet-keys"
     - "{snap_common}/lib"
@@ -21,12 +13,6 @@ setup:
     keystone-nginx.conf.j2: "{snap_common}/etc/nginx/snap/sites-enabled/keystone.conf"
     keystone-snap.conf.j2: "{snap_common}/etc/keystone/keystone.conf.d/keystone-snap.conf"
     nginx.conf.j2: "{snap_common}/etc/nginx/snap/nginx.conf"
-  rchown:
-    "{snap_common}/fernet-keys": "snap-keystone:snap-keystone"
-    "{snap_common}/lib": "snap-keystone:snap-keystone"
-    "{snap_common}/lock": "snap-keystone:snap-keystone"
-    "{snap_common}/log": "snap-keystone:snap-keystone"
-    "{snap_common}/run": "snap-keystone:snap-keystone"
 entry_points:
   keystone-manage:
     binary: "{snap}/bin/keystone-manage"
@@ -36,8 +22,6 @@ entry_points:
       - "{snap_common}/etc/keystone/keystone.conf"
     config-dirs:
       - "{snap_common}/etc/keystone/keystone.conf.d"
-    run-as:
-      snap-keystone: [snap-keystone]
   keystone-uwsgi:
     type: uwsgi
     uwsgi-dir: "{snap_common}/etc/uwsgi/snap"
@@ -53,8 +37,6 @@ entry_points:
     templates:
       admin.ini.j2: "{snap_common}/etc/uwsgi/snap/admin.ini"
       public.ini.j2: "{snap_common}/etc/uwsgi/snap/public.ini"
-    run-as:
-      snap-keystone: [snap-keystone]
   keystone-nginx:
     type: nginx
     config-file: "{snap_common}/etc/nginx/snap/nginx.conf"

snap/templates/nginx.conf.j2

@@ -1,4 +1,4 @@
-user snap-keystone snap-keystone;
+user root root;
 worker_processes auto;
 pid {{ snap_common }}/run/nginx.pid;
 

snapcraft.yaml

@@ -6,31 +6,30 @@ description: |
   mechanisms via HTTP primarily for use by projects in the OpenStack
   family. It is most commonly deployed as an HTTP interface to existing
   identity systems, such as LDAP.
-confinement: classic
+confinement: strict
 grade: devel
 
 apps:
   uwsgi:
-    command: >
+    command: snap-openstack keystone-uwsgi
-      env PYTHONPATH=$PYTHONPATH:$SNAP/lib/python2.7/site-packages
-      $SNAP/usr/bin/python2 $SNAP/bin/snap-openstack keystone-uwsgi
     daemon: simple
+    plugs:
+      - network-bind
   nginx:
-    command: >
+    command: snap-openstack keystone-nginx
-      env PYTHONPATH=$PYTHONPATH:$SNAP/lib/python2.7/site-packages
-      LD_LIBRARY_PATH=$SNAP/usr/lib/x86_64-linux-gnu:$LD_LIBRARY_PATH
-      $SNAP/usr/bin/python2 $SNAP/bin/snap-openstack keystone-nginx
     daemon: forking
+    plugs:
+      - browser-support
+      - network-bind
   manage:
-    command: >
+    command: snap-openstack keystone-manage
-      env PYTHONPATH=$PYTHONPATH:$SNAP/lib/python2.7/site-packages
-      $SNAP/usr/bin/python2 $SNAP/bin/snap-openstack keystone-manage
     aliases:
       - keystone-manage
+    plugs:
+      - network
 
 parts:
   keystone:
-    after: [python]
     plugin: python
     python-version: python2
     source: http://tarballs.openstack.org/keystone/keystone-stable-ocata.tar.gz
@@ -47,15 +46,10 @@ parts:
       - libmysqlclient-dev
       - libssl-dev
       - libsqlite3-dev
-    stage:
-      - -usr/bin/2to3
-      - -usr/bin/pydoc
-      - -usr/bin/python2.7
-      - -usr/lib/python2.7
     install: |
       touch $SNAPCRAFT_PART_INSTALL/lib/python2.7/site-packages/paste/__init__.py
       touch $SNAPCRAFT_PART_INSTALL/lib/python2.7/site-packages/repoze/__init__.py
-      export SNAP_ROOT="../../../"
+      export SNAP_ROOT="../../.."
       export SNAP_SITE_PACKAGES="$SNAPCRAFT_PART_INSTALL/lib/python2.7/site-packages"
       patch -d $SNAP_SITE_PACKAGES -p1 < $SNAP_ROOT/patches/oslo-config-dirs.patch
   templates:
@@ -88,19 +82,18 @@ parts:
       - --error-log-path=/var/snap/keystone/common/log/nginx-error.log
       - --lock-path=/var/snap/keystone/common/lock/nginx.lock
       - --pid-path=/var/snap/keystone/common/run/nginx.pid
+      - --http-client-body-temp-path=/var/snap/keystone/common/lib/nginx_client_body
+      - --http-proxy-temp-path=/var/snap/keystone/common/lib/nginx_proxy
+      - --http-fastcgi-temp-path=/var/snap/keystone/common/lib/nginx_fastcgi
+      - --http-uwsgi-temp-path=/var/snap/keystone/common/lib/nginx_uwsgi
+      - --http-scgi-temp-path=/var/snap/keystone/common/lib/nginx_scgi
     build-packages:
       - libpcre3-dev
       - libssl-dev
-  python:
+    prepare: |
-    source: https://www.python.org/ftp/python/2.7.13/Python-2.7.13.tar.xz
+      export SNAP_ROOT="../../.."
+      export SNAP_SOURCE="$SNAP_ROOT/parts/nginx/build"
+      patch -d $SNAP_SOURCE -p1 < $SNAP_ROOT/patches/drop-nginx-setgroups.patch
+  libxml2:
+    source: http://xmlsoft.org/sources/libxml2-2.9.4.tar.gz
     plugin: autotools
-    configflags:
-      - --prefix=/usr
-      - --enable-shared
-      - --enable-unicode=ucs4
-    build-packages:
-      - libssl-dev
-    prime:
-      - -usr/include
-    install:
-      $SNAPCRAFT_PART_INSTALL/usr/bin/python2 -m ensurepip